2016-12-31

Control Is Not Data

(First published in the DHS ICSJWG Dec/2016 Newsletter as Control Is Not Data.)

IT gurus tell us that control system security is essentially the same as IT security, and that both are about "protecting the data." The gurus tell us that, yes, there are two kinds of "data" in control systems - monitoring data and control data - but "data is data." They tell us that all we need to do is protect the CIA, or AIC, or IAC, or something, of the data and we're done - we're secure.

They are wrong.